JP4666240B2 - Information processing apparatus, information processing method, program, and information processing system - Google Patents

Description

The present invention relates to an information processing device, an information processing method, a program, and an information processing system, and more particularly, to an information processing device, an information processing method, a program, and an information processing system that can prevent unauthorized access.

  IC cards have recently become widespread and are used by many users, for example, to pay for shopping at stores. In order to prevent unauthorized use of the IC card, authentication processing is required between the IC card and the reader / writer when using the IC card. Such a one-way authentication method between two devices is defined as Two pass authentication in ISO / IEC 9798-2 5.1.2. FIG. 1 shows this authentication method in a simplified manner.

  Steps S21 to S24 are processing of the device A, and steps S1 to S8 represent processing of the device B that authenticates the device A.

  The device B generates a random number rb in step S1, and transmits the random number rb to the device A in step S2.

In step S21, the device A receives the random number rb transmitted from the device B. In step S22, apparatus A generates a key Kab. In step S23, the device A encrypts the random number rb received from the device B with the key Kab. That is, the following equation is calculated and information Token ab is generated. Note that eKab (rb) represents that the random number rb is encrypted with the key Kab.
Token ab = eKab (rb) (1)

  In step S24, the device A transmits the information Token ab generated in step S23 to the device B.

  In step S3, the device B receives the information Token ab from the device A. In step S4, the device B generates a key Kab. In step S5, the device B decrypts the received information Token ab with the key Kab. As a result, a random number rb is obtained.

  In step S6, the device B determines whether the decryption result matches the random number rb. That is, it is determined whether the random number rb generated in step S1 matches the random number rb obtained by decrypting the information Token ab received from the device A in step S5. The key Kab held by the device A is a secret key assigned only to the legitimate device. The fact that the device A holds the key Kab means that the device A is a legitimate device. become.

  Therefore, if the decryption result does not match the random number rb, the device B executes an authentication failure process of the device A in step S7. On the other hand, when the decryption result matches the random number rb, the device B executes the authentication success processing of the device A in step S8.

  Also, a two-way authentication method between two devices is defined as Three pass authentication in ISO / IEC 9798-2 5.2.2. FIG. 2 shows this authentication method in a simplified manner.

  In step S31, the device B generates a random number rb. Apparatus B transmits this random number rb to apparatus A in step S32.

In step S51, the device A receives the random number rb transmitted from the device B. In step S52, apparatus A generates a random number ra and a key Kab. In step S53, the device A encrypts the random number ra and the random number rb with the key Kab. That is, the combination of the random number ra generated in step S52 and the random number rb received from the device B is encrypted according to the following equation. Note that (ra || rb) represents a combination of the random number ra and the random number rb.
Token ab = eKab (ra || rb) (2)

  In step S54, the device A transmits the information Token ab calculated by the equation (2) to the device B.

  In step S33, the device B receives the information Token ab from the device A. In step S34, the device B generates a key Kab.

  In step S35, the device B decrypts the information Token ab with the key Kab. As described above, the information Token ab is obtained by encrypting the combination (ra || rb) of the random number ra and the random number rb with the key Kab by the device A in step S53. || rb) is obtained.

  In step S36, the device B determines whether the decryption result matches the random number rb. That is, in this case, only the random number rb is extracted from the combination (ra || rb) obtained as a decryption result, is used as a comparison target, and is compared with the random number rb generated in step S31.

  If the device A is a legitimate information processing device, it has the correct fixed secret key Kab, so the two random numbers rb match.

  However, if the device A is an unauthorized device, it does not hold the correct key Kab. As a result, the two random numbers rb do not match. Therefore, in this case, in step S37, the device B executes an authentication failure process of the device A.

  If the two random numbers rb match, the device B executes a successful authentication process for the device A in step S38.

Further, in order to cause the device A to authenticate the device B, the device B encrypts the random number rb and the random number ra with the key Kab in step S39. That is, the combination of the random number rb generated in step S31 and the random number ra received from the device A is encrypted according to the following equation, and the information Token ba is generated.
Token ba = eKab (rb || ra) (3)

  In step S40, the device B transmits the information Token ba to the device A.

  In step S55, the device A receives the information Token ba from the device B. In step S56, the device A decrypts the information Token ba with the key Kab. As described above, the information Token ba is obtained by encrypting the combination (rb || ra) of the random number rb and the random number ra with the key Kab in step S39. || ra) is obtained.

  In step S57, the device A determines whether or not the random number rb, ra as a decryption result matches the random number rb received from the device A in step S51 and the random number ra generated in step S52.

  When the device B is a regular device, the device B has the same secret key Kab as the device A, so the two random numbers ra match and the two random numbers rb also match.

  However, if the device B is an unauthorized device, the device B does not hold the same secret key Kab as the device A. As a result, the random numbers ra and rb do not match. In this case, therefore, apparatus A executes an authentication failure process of apparatus B in step S58.

  If the random numbers ra and rb match, the device A executes an authentication success process for the device B in step S59.

  In the example of FIG. 2, the random numbers ra and rb are set as comparison targets in step S36 and step S57, but FIG. 3 shows an example of processing when the comparison target is a random number as encrypted. .

  In the example of FIG. 3, the processing of the device B in steps S61 to S70 is basically the same as the processing of the device B in steps S31 to S40 of FIG. 2, but the processing of steps S63, S65, and S66 of FIG. This is different from the processing of steps S33, S35, and S36 of FIG.

  3 is basically the same as the process of apparatus A in steps S51 to S59 of FIG. 2, but the processes of steps S84, S86, and S87 of FIG. This is different from the processing in steps S54, S56, and S57 in FIG.

  That is, in the case of the example in FIG. 3, the device A transmits not only the information Token ab but also the random number ra in step S84.

In apparatus B, not only information Token ab but also random number ra is received in step S63. In step S64, apparatus B generates a key Kab. In step S65, the device B encrypts the combination of the random number ra and the random number rb with the key Kab, and generates information Token ab. That is, the following equation is calculated.
Token ab = eKab (ra || rb) (4)

  In step S66, the device B determines whether or not the encryption result obtained in step S65 matches the information Token ab received from the device A in step S63. If the information Token ab calculated by Expression (4) does not match the information Token ab received from the device A, the authentication failure process of the device A is executed in step S67. On the other hand, when the information Token ab calculated by Expression (4) matches the information Token ab received from the device A, the authentication success process of the device A is executed in step S68.

Further, in order to cause the device A to authenticate the device B, in step S69, the device B encrypts the combination of the random number rb and the random number ra with the key Kab. That is, the combination of the random number rb generated in step S61 and the random number ra received from the device A is encrypted according to the following equation.
Token ba = eKab (rb || ra) (5)

  In step S70, the device B transmits the information Token ba calculated by the equation (5) to the device A.

In step S85, the device A receives the information Token ba from the device B. In step S86, the device A performs a process of encrypting the combination of the random number rb received from the device B in step S81 and the random number ra transmitted to the device B in step S84 with the key Kab. That is, the following equation is calculated.
Token ba = eKab (rb || ra) (6)

  In step S87, the device A determines whether or not the encryption result of step S86 (that is, the information token ba calculated in step S86) matches the information token ba received in step S85. If the two pieces of information Token ba do not match, the device A executes an authentication failure process of the device B in step S88.

  If the two pieces of information Token ba match, the device A executes an authentication success process for the device B in step S89.

  Other processes are the same as those in FIG.

  Further, the present applicant has also proposed a bidirectional authentication method (for example, Patent Document 1). 4 and 5 show this authentication method in a simplified manner.

  The device B generates a random number P in step S141, and generates a key Ka in step S142. In step S143, the device B encrypts the random number P with the key Ka and generates information i1. In step S144, apparatus B transmits information i1 to apparatus A.

  Apparatus A receives information i1 from apparatus B in step S171. In step S172, apparatus A generates a key Ka. In step S173, the device A decrypts the information i1 with the key Ka. Thereby, apparatus A acquires random number P in step S174.

  In step S175, apparatus A generates a key Kb. In step S176, apparatus A encrypts random number P with key Kb and generates information i2. In step S177, device A transmits information i2 to device B.

  In step S145, apparatus B receives information i2 from apparatus A. In step S146, device B generates key Kb. In step S147, the device B decrypts the information i2 with the key Kb. Thereby, the apparatus B acquires the random number P in step S148.

  In step S149, the device B confirms the consistency of the random number P. That is, it is determined whether the random number P generated in step S141, encrypted and transmitted to the device A in step S144 matches the random number P obtained by decrypting the information i2 received from the device A in step S147. The The keys Ka and Kb are assigned only to the regular device A. Therefore, when the two random numbers P match, the device B authenticates the device A as a legitimate device.

  Similarly, a process for authenticating apparatus B by apparatus A is performed.

  Apparatus A generates random number Q in step S178. In step S179, apparatus A encrypts random number Q with key Kb and generates information i3. The key Kb has been generated in step S175. In step S180, apparatus A transmits information i3 to apparatus B.

  Device B receives information i3 from device A in step S150. In step S151, the device B decrypts the information i3 with the key Kb. The key Kb has been generated in step S146. Thereby, the apparatus B acquires the random number Q in step S152.

  In step S153, the device B encrypts the random number Q with the key Ka and generates information i4. The key Ka has been generated in step S142. In step S154, apparatus B transmits information i4 to apparatus A.

  In step S181, apparatus A receives information i4 from apparatus B. In step S182, the device A decrypts the information i4 with the key Ka. The key Ka has been generated in step S172. Thereby, the apparatus A acquires the random number Q in step S183.

  In step S184, apparatus A checks the consistency of random number Q. That is, it is determined whether the random number Q generated in step S178, encrypted and transmitted to the device B in step S180 matches the random number Q obtained by decrypting the information i4 received from the device B in step S182. The The keys Ka and Kb are assigned only to the regular device B. Therefore, if the two random numbers Q match, device A authenticates device B as a legitimate device. The authentication result is transmitted to device B.

Japanese Patent No. 3897177

  FIG. 6 shows information exchange between the two devices in the above processing. That is, information i1 is transmitted from apparatus B to apparatus A in step S144, information i2 and information i3 are transmitted from apparatus A to apparatus B in steps S177 and S180, and information i4 is transmitted from apparatus B to apparatus A in step S154. Sent.

  Also in the case of the one-way authentication of FIG. 1, the random number rb is transmitted from the device B to the device A in step S2, and the information Token ab is transmitted from the device A to the device B in step S24.

  As a result, the device B can input the same plaintext as many times as necessary to the device A, and the device A can obtain the result of encrypting the plaintext with a certain key.

  In such a case, there is a possibility that a DFA (Differential Fault Analysis) attack may be received from a user (hacker) who attempts to gain unauthorized access to the device A. That is, the hacker prepares an unauthorized device B, and repeats the operation in which the device A irradiates the device A with a laser beam during the encryption process, causes the device A to generate an error with the energy, and obtains the processing result. Thus, the key held by the device A can be analyzed.

  The present invention has been made in view of such a situation, and makes it possible to prevent unauthorized access.

The first aspect of the present invention, a receiver for receiving the first random number from the other information processing apparatus, a random number generator for generating a second random number, the second random number to the first fixed key by applying a varying key generation unit when generating the time variable key for encryption, the first random number, an encryption unit for encrypting at the time-varying key, encrypted with the time-varying key In addition, the information processing apparatus includes a transmission unit that transmits the first random number and the second random number to the other information processing apparatus.

In the first aspect of the present invention, the first random number is received from another information processing apparatus, a second random number is generated, the second random number is the action for encryption to the first fixed key Are generated, the first random number is encrypted with the time variable key, and the first random number and the second random number encrypted with the time variable key are transmitted to another information processing apparatus.

According to a second aspect of the present invention, a random number generation unit that generates a first random number, a transmission unit that transmits the first random number to another information processing device, and a first time from the other information processing device. The first random number encrypted by a variable key, a receiving unit that receives the second random number, and the second random number is applied to the first fixed key so that the same first variable as the first time variable key A time variable key generating unit that generates a second time variable key, an authentication information generating unit that generates authentication information for authenticating the other information processing apparatus using the second time variable key, and the other information based on the authentication information. An information processing apparatus includes an authentication unit that authenticates the information processing apparatus.

In the second aspect of the present invention, a first random number is generated, the first random number is transmitted to another information processing apparatus, and encrypted from the other information processing apparatus with the first time-varying key. and one of the random number, the received second random number, the first fixed key same second time-varying key and is operatively second random number the first time variable key is generated, varying the time of the second Authentication information for authenticating another information processing apparatus is generated by the key, and the other information processing apparatus is authenticated by the authentication information.

According to a third aspect of the present invention, the first information processing device receives the first random number from the second information processing device , generates the second random number, and uses the second information as the first fixed key. a random number to act to generate a first time variable key for encryption, the first time encrypting the first random number in variable key, the said first random number is encrypted The second random number is transmitted to the second information processing apparatus, and the second information processing apparatus transmits the first random number encrypted from the first information processing apparatus and the second random number. And generating a second time-varying key that is the same as the first time-varying key by applying the second random number to the first fixed key, and authenticating information using the second time-varying key. Is generated, and the first information processing apparatus is authenticated by the authentication information.

In the third aspect of the present invention, the first information processing device receives the first random number from the second information processing device, generates the second random number, and the second random number is the first fixed value. key first time variable key for encryption is operatively generated first random number is encrypted with the first time-varying key, first encrypted with the first time variable key 1 And the second random number are transmitted to the second information processing apparatus. In addition, the first information processing device receives the first random number and the second random number that are transmitted from the first information processing device and encrypted by the first time-varying key, and receives the first fixed value. A second random number is applied to the key to generate a second time-varying key that is the same as the first time-varying key, and authentication information for authenticating the first information processing apparatus is generated by the second time-varying key, The first information processing apparatus is authenticated by the authentication information.

  The present invention has the following fourth to twelfth side surfaces in addition to the first to third side surfaces described above.

The fourth aspect is
A receiving unit that receives first information encrypted using the first fixed key from another information processing apparatus;
A generator for generating the first and second fixed keys and the second random number;
A decryption unit that obtains a first random number by decrypting the received first information using the generated first fixed key;
The second information is obtained by performing a predetermined logical operation on the decrypted first random number and the generated second random number and encrypting the logical operation value obtained as a result using the second fixed key. An encryption unit that generates third information by encrypting the second random number using the second fixed key;
An information processing apparatus comprising: a transmission unit that transmits the second and third information to the other information processing apparatus.

The receiving unit further receives, from the other information processing apparatus, fourth information encrypted using the first fixed key,
The decryption unit further decrypts the received fourth information by using the generated first fixed key, thereby performing a predetermined logical operation of the first random number and the second random number. Obtaining a value, obtaining the second random number by performing a predetermined logical operation on the obtained predetermined logical operation value and the decrypted first random number,
The information processing apparatus according to the fourth aspect, further comprising: an authentication unit that authenticates the other information processing apparatus using the acquired second random number.

The information processing apparatus according to the fourth aspect, wherein the predetermined logical operation is XOR (exclusive or).

The information processing apparatus according to the fourth aspect is an IC card.

The fourth aspect is
Receiving from the other information processing apparatus the first information encrypted using the first fixed key;
Generating the first fixed key;
Obtaining the first random number by decrypting the received first information using the generated first fixed key;
Generating a second fixed key and a second random number;
The second information is obtained by performing a predetermined logical operation on the decrypted first random number and the generated second random number and encrypting the logical operation value obtained as a result using the second fixed key. Produces
Generating the third information by encrypting the second random number with the second fixed key;
A program for causing a computer to execute a process of transmitting the second and third information to the other information processing apparatus.

The fifth aspect is
A generator for generating first and second fixed keys and a first random number;
An encryption unit that generates first information by encrypting the first random number using the first fixed key;
A transmission unit that transmits the first information to another information processing apparatus;
A receiving unit for receiving second and third information from the other information processing apparatus;
Using the generated second fixed key, the received second information is decrypted to obtain a predetermined logical operation value of the first random number and the second random number, and received. The second random number is obtained by decoding the third information, and the first random number is obtained by performing a predetermined logical operation on the acquired predetermined logical operation value and the decoded second random number. A decryption unit for obtaining
And an authentication unit that authenticates the other information processing apparatus with the acquired first random number.

The encryption unit further performs a predetermined logical operation on the generated first random number and the acquired second random number, and encrypts a logical operation value obtained as a result using the first fixed key. To generate the fourth information,
The transmitting unit further transmits the fourth information to the other information processing apparatus according to the fifth aspect.

The information processing apparatus according to the fifth aspect, wherein the predetermined logical operation is XOR (exclusive or).

The information processing apparatus according to the fifth aspect is a reader / writer.

The fifth aspect is
Generating a first fixed key and a first random number;
Generating first information by encrypting the first random number using the first fixed key;
Transmitting the first information to another information processing apparatus;
Receiving the second and third information from the other information processing apparatus;
Generate a second fixed key,
Using the generated second fixed key to obtain a predetermined logical operation value of the first random number and the second random number by decrypting the received second information;
Obtaining the second random number by decrypting the received third information;
Obtaining the first random number by performing a predetermined logical operation on the acquired predetermined logical operation value and the decrypted second random number;
A program for causing a computer to execute a process of authenticating the other information processing apparatus with the acquired first random number.

The sixth aspect is
The first information processing apparatus
Receiving the first information encrypted using the first fixed key from the second information processing apparatus;
Generating the first fixed key;
Obtaining the first random number by decrypting the received first information using the generated first fixed key;
Generating a second fixed key and a second random number;
The second information is obtained by performing a predetermined logical operation on the decrypted first random number and the generated second random number and encrypting the logical operation value obtained as a result using the second fixed key. Produces
Generating the third information by encrypting the second random number with the second fixed key;
Transmitting the second and third information to the second information processing apparatus;
The second information processing apparatus
Receiving the second and third information from the first information processing apparatus;
Generate a second fixed key,
Using the generated second fixed key to obtain a predetermined logical operation value of the first random number and the second random number by decrypting the received second information;
Obtaining the second random number by decrypting the received third information;
Obtaining the first random number by performing a predetermined logical operation on the acquired predetermined logical operation value and the decrypted second random number;
The information processing system performs authentication of the first information processing apparatus using the acquired first random number.

The seventh aspect
A receiving unit that receives first information encrypted using the first fixed key from another information processing apparatus;
A generator for generating the first fixed key and the second random number;
A decryption unit that obtains a first random number by decrypting the received first information using the generated first fixed key;
Using the generated second random number as a key, generating the second information by encrypting the decrypted first random number, and using the first fixed key to generate the second information An encryption unit that generates third information by encryption;
An information processing apparatus comprising: a transmission unit that transmits the second and third information to the other information processing apparatus.

The receiving unit further receives, from the other information processing apparatus, fourth information encrypted using the first random number as a key,
The decryption unit further obtains the second random number by decrypting the received fourth information using the obtained first random number,
The information processing apparatus according to the seventh aspect, further comprising: an authentication unit that authenticates the other information processing apparatus using the acquired second random number.

The information processing apparatus according to the seventh aspect is an IC card.

The seventh aspect is
Receiving from the other information processing apparatus the first information encrypted using the first fixed key;
Generating the first fixed key;
Obtaining the first random number by decrypting the received first information using the generated first fixed key;
Generate a second random number,
Generating the second information by encrypting the decrypted first random number using the generated second random number as a key;
Generating the third information by encrypting the second random number using the first fixed key;
A program for causing a computer to execute a process of transmitting the second and third information to the other information processing apparatus.

The eighth aspect is
A generator for generating a first fixed key and a first random number;
An encryption unit that generates first information by encrypting the first random number using the first fixed key;
A transmission unit that transmits the first information to another information processing apparatus;
A receiving unit for receiving second and third information from the other information processing apparatus;
The received second information is obtained by decrypting the received third information using the generated first fixed key, and the received second information is obtained by the second information obtained. A decryption unit that obtains the first random number by decrypting using the random number of
And an authentication unit that authenticates the other information processing apparatus with the acquired first random number.

The encryption unit further generates fourth information by encrypting the acquired second random number using the generated first random number as a key,
The transmitting unit further transmits the fourth information to the other information processing apparatus according to the eighth aspect.

The information processing apparatus according to the eighth aspect, wherein the information processing apparatus is a reader / writer.

The eighth aspect is
Generating a first fixed key and a first random number;
Generating first information by encrypting the first random number using the first fixed key;
Transmitting the first information to another information processing apparatus;
Receiving the second and third information from the other information processing apparatus;
A second random number is obtained by decrypting the received third information using the generated first fixed key;
Obtaining the first random number by decrypting the received second information using the obtained second random number;
A program for causing a computer to execute a process of authenticating the other information processing apparatus with the acquired first random number.

The ninth aspect
The first information processing apparatus
Receiving the first information encrypted using the first fixed key from the second information processing apparatus;
Generating the first fixed key;
Obtaining the first random number by decrypting the received first information using the generated first fixed key;
Generate a second random number,
Generating the second information by encrypting the decrypted first random number using the generated second random number as a key;
Generating the third information by encrypting the second random number using the first fixed key;
Transmitting the second and third information to the second information processing apparatus;
The second information processing apparatus
Generating the first fixed key and the first random number;
Generating first information by encrypting the first random number using the first fixed key;
Transmitting the first information to the first information processing apparatus;
Receiving the second and third information from the first information processing apparatus;
A second random number is obtained by decrypting the received third information using the generated first fixed key;
Obtaining the first random number by decrypting the received second information using the obtained second random number;
The information processing system performs authentication of the first information processing apparatus using the acquired first random number.

The tenth aspect
A receiving unit that receives first information encrypted using the first fixed key from another information processing apparatus;
A generator for generating the first fixed key and the second random number;
A decryption unit that obtains a first random number by decrypting the received first information using the generated first fixed key;
The decrypted first random number is subjected to a predetermined conversion process using the generated second random number, and the predetermined conversion process result is encrypted by using the second random number as a key. An encryption unit that generates third information by generating the second information and encrypting the second random number using the first fixed key;
An information processing apparatus comprising: a transmission unit that transmits the second and third information to the other information processing apparatus.

The receiving unit further receives, from the other information processing apparatus, fourth information encrypted using the first random number as a key,
The decryption unit further decrypts the received fourth information using the acquired first random number, and further performs an inverse transform process of the predetermined transform process, thereby performing the second transform process. Get a random number,
The information processing apparatus according to the ninth aspect, further comprising: an authentication unit configured to authenticate the other information processing apparatus using the acquired second random number.

The information processing apparatus according to the ninth aspect, wherein the information processing apparatus is an IC card.

The ninth aspect is
Receiving from the other information processing apparatus the first information encrypted using the first fixed key;
Generating the first fixed key;
Obtaining the first random number by decrypting the received first information using the generated first fixed key;
Generate a second random number,
The decrypted first random number is subjected to a predetermined conversion process using the generated second random number, and the predetermined conversion process result is encrypted by using the second random number as a key. 2 information is generated,
Generating the third information by encrypting the second random number using the first fixed key;
A program for causing a computer to execute a process of transmitting the second and third information to the other information processing apparatus.

The tenth aspect
A generator for generating a first fixed key and a first random number;
An encryption unit that generates first information by encrypting the first random number using the first fixed key;
A transmission unit that transmits the first information to another information processing apparatus;
A receiving unit for receiving second and third information from the other information processing apparatus;
The received second information is obtained by decrypting the received third information using the generated first fixed key, and the received second information is obtained by the second information obtained. A decoding unit that obtains the first random number by performing a reverse conversion process of a predetermined conversion process,
And an authentication unit that authenticates the other information processing apparatus with the acquired first random number.

The encryption unit further encrypts the acquired second random number using the generated first random number as a key, and further generates the fourth information by performing the predetermined conversion process. ,
The transmitting unit further transmits the fourth information to the other information processing apparatus.

The information processing apparatus according to the tenth aspect, wherein the information processing apparatus is a reader / writer.

The eleventh aspect is
Generating a first fixed key and a first random number;
Generating first information by encrypting the first random number using the first fixed key;
Transmitting the first information to another information processing apparatus;
Receiving the second and third information from the other information processing apparatus;
A second random number is obtained by decrypting the received third information using the generated first fixed key;
The received second information is decrypted using the acquired second random number, and the first random number is acquired by performing an inverse conversion process of a predetermined conversion process,
A program for causing a computer to execute a process of authenticating the other information processing apparatus with the acquired first random number.

The twelfth aspect
The first information processing apparatus
Receiving the first information encrypted using the first fixed key from the second information processing apparatus;
Generating the first fixed key;
Obtaining the first random number by decrypting the received first information using the generated first fixed key;
Generate a second random number,
The decrypted first random number is subjected to a predetermined conversion process using the generated second random number, and the predetermined conversion process result is encrypted by using the second random number as a key. 2 information is generated,
Generating the third information by encrypting the second random number using the first fixed key;
Transmitting the second and third information to the second information processing apparatus;
The second information processing apparatus
Generating a first fixed key and a first random number;
Generating first information by encrypting the first random number using the first fixed key;
Transmitting the first information to the first information processing apparatus;
Receiving second and third information from the first information processing apparatus;
A second random number is obtained by decrypting the received third information using the generated first fixed key;
The received second information is decrypted using the acquired second random number, and the first random number is acquired by performing an inverse conversion process of a predetermined conversion process,
The information processing system performs authentication of the first information processing apparatus using the acquired first random number.

  As described above, according to the aspects of the present invention, unauthorized access can be prevented.

It is a flowchart explaining the conventional one-way authentication process. It is a flowchart explaining the conventional bidirectional | two-way authentication process. It is a flowchart explaining the conventional bidirectional | two-way authentication process. It is a flowchart explaining the conventional bidirectional | two-way authentication process. It is a flowchart explaining the conventional bidirectional | two-way authentication process. It is a figure explaining the conventional bidirectional | two-way authentication process. It is a block diagram which shows the structural example of the information processing system of this invention. It is a block diagram which shows the structural example of one information processing apparatus which comprises an information processing system. It is a block diagram which shows the structural example of the other information processing apparatus which comprises an information processing system. It is a flowchart explaining the one-way authentication process of the 1st system of one embodiment of this invention. It is a figure explaining the authentication process of one embodiment of this invention. It is a flowchart explaining the bidirectional | two-way authentication process of the 1st system of one embodiment of this invention. It is a flowchart explaining the bidirectional | two-way authentication process of the 1st system of one embodiment of this invention. It is a flowchart explaining the bidirectional | two-way authentication process of the 1st system of one embodiment of this invention. It is a flowchart explaining the bidirectional | two-way authentication process of the 1st system of one embodiment of this invention. It is a flowchart explaining the one-way authentication process of the 2nd system of one embodiment of this invention. It is a flowchart explaining the bidirectional | two-way authentication process of the 2nd system of one embodiment of this invention. It is a flowchart explaining the bidirectional | two-way authentication process of the 2nd system of one embodiment of this invention. It is a flowchart explaining the bidirectional | two-way authentication process of the 2nd system of one embodiment of this invention. It is a flowchart explaining the bidirectional | two-way authentication process of the 2nd system of one embodiment of this invention. It is a flowchart explaining the bidirectional | two-way authentication process of the 3rd system of one embodiment of this invention. It is a flowchart explaining the modification of the bidirectional | two-way authentication process of the 3rd system shown by FIG. It is a flowchart explaining the bidirectional | two-way authentication process of the 4th system of one embodiment of this invention. It is a flowchart explaining the modification of the bidirectional | two-way authentication process of the 4th system shown by FIG. It is a flowchart explaining the bidirectional | two-way authentication process of the 5th system of one embodiment of this invention.

Hereinafter, the best mode for carrying out the invention (hereinafter referred to as an embodiment) will be described in detail with reference to the drawings. The description will be given in the following order.
1. 1. Configuration example of information processing system 1. First embodiment 2. Second embodiment 3. Third embodiment 4. Fourth embodiment Fifth embodiment

<1. Configuration example of information processing system>
Hereinafter, embodiments of the present invention will be described with reference to the drawings.

  FIG. 7 is a block diagram showing the configuration of an embodiment of the information processing system of the present invention. The information processing system 100 includes an information processing device 111 and an information processing device 141. The information processing apparatus 111 is configured by, for example, an IC card, and the information processing apparatus 141 is configured by, for example, a reader / writer that accesses the IC card. The information processing apparatus 111 and the information processing apparatus 141 perform proximity communication, for example, and exchange information. The information processing apparatus 141 is connected to a computer (not shown) as necessary.

  FIG. 8 shows a configuration of an embodiment of the information processing apparatus 111. In the case of this embodiment, the information processing apparatus 111 includes an antenna unit 121, a reception unit 122, a decryption unit 123, an authentication unit 124, an encryption unit 125, a transmission unit 126, a generation unit 127, a generation unit 128, and a storage unit 129. It is comprised by.

  The antenna unit 121 communicates with the antenna unit 151 (see FIG. 9 described later) of the information processing apparatus 141 by exchanging electromagnetic waves. The receiving unit 122 receives and demodulates a signal transmitted from the information processing apparatus 141 via the antenna unit 121. The decryption unit 123 decrypts the encrypted information received by the reception unit 122. The authentication unit 124 authenticates the information processing apparatus 141 based on information from the decryption unit 123 and controls each unit.

  The encryption unit 125 is controlled by the authentication unit 124 and encrypts information to be transmitted to the information processing apparatus 141. In addition, the encryption unit 125 performs a predetermined logical operation process on information transmitted to the information processing apparatus 141 or information transmitted from the information processing apparatus 141, or performs a predetermined conversion process and its inverse conversion process. Or The transmission unit 126 modulates information supplied from the encryption unit 125 and the like, outputs the modulated information to the antenna unit 121, and transmits the information to the information processing apparatus 141. The generation unit 127 generates a key for encrypting or decrypting information. This key may be generated by calculating each time, or may be generated by reading a stored key. The generation unit 127 generates a random number. The random number need not be a mathematical random number, and may be a pseudo-random number or a counter value generated by a counter as long as it can be practically treated as a random number.

  The generation unit 128 generates a time-varying key based on information from the generation unit 127 and the like, and supplies it to the decryption unit 123 and the encryption unit 125. A time-varying key is a key that changes each time it is generated. The storage unit 129 is connected to the authentication unit 124 and stores necessary data, programs, and other information.

  The output of the reception unit 122 is supplied to the authentication unit 124, the encryption unit 125, the generation unit 128, and the like, in addition to the decryption unit 123. The output of the authentication unit 124 is supplied to the transmission unit 126 in addition to the encryption unit 125. The output of the generation unit 127 is supplied to the decryption unit 123, the authentication unit 124, the encryption unit 125, the transmission unit 126, and the like, in addition to the generation unit 128. The output of the generation unit 128 is supplied to the authentication unit 124 in addition to the decryption unit 123 and the encryption unit 125.

  FIG. 9 shows a configuration of an embodiment of the information processing apparatus 141. In the case of this embodiment, the information processing apparatus 141 includes an antenna unit 151, a reception unit 155, a decryption unit 153, an authentication unit 154, an encryption unit 155, a transmission unit 156, a generation unit 157, a generation unit 158, a storage unit 159, And an interface 160.

  The antenna unit 121 communicates with the antenna unit 121 of the information processing apparatus 111 by exchanging electromagnetic waves. The receiving unit 152 receives and demodulates a signal transmitted from the information processing apparatus 111 via the antenna unit 151. The decryption unit 153 decrypts the encrypted information received by the reception unit 152. The authentication unit 154 authenticates the information processing apparatus 141 based on information from the decryption unit 153 and controls each unit.

  The encryption unit 155 is controlled by the authentication unit 154 and encrypts information to be transmitted to the information processing apparatus 111. In addition, the encryption unit 155 performs a predetermined logical operation process on the information transmitted to the information processing apparatus 111 or the information transmitted from the information processing apparatus 111, or performs a predetermined conversion process and its inverse conversion. To do. The transmission unit 156 modulates information supplied from the encryption unit 155 and the like, outputs the modulated information to the antenna unit 151, and causes the information processing apparatus 111 to transmit the information. The generation unit 157 generates a key for encrypting or decrypting information. This key may be generated by calculating each time, or may be generated by reading a stored key. The generation unit 157 generates a random number. The random number does not need to be a random number in a mathematical sense, and may be a pseudo random number as long as it can be practically treated as a random number.

  The generation unit 158 generates a time-varying key based on information from the generation unit 157 and the like, and supplies the time-varying key to the decryption unit 153 and the encryption unit 155. The storage unit 159 is connected to the authentication unit 154 and stores necessary data, programs, and other information. An interface 160 connected to the authentication unit 154 communicates with an external computer.

  The output of the reception unit 152 is supplied to the authentication unit 154, the encryption unit 155, the generation unit 158, etc., in addition to the decryption unit 153. The output of the authentication unit 154 is supplied to the transmission unit 156 as well as the encryption unit 155. The output of the generation unit 157 is supplied to the decryption unit 153, the authentication unit 154, the encryption unit 155, the transmission unit 156, etc., in addition to the generation unit 158. The output of the generation unit 158 is supplied to the authentication unit 154 in addition to the decryption unit 153 and the encryption unit 155.

<2. First Embodiment>
Next, the first method of authentication processing will be described. In the first type of authentication processing, a random number used for authentication is encrypted and transmitted from the authenticating device to the authenticating device.

  First, a one-way authentication process will be described with reference to FIG.

In the information processing apparatus 141, the generation unit 157 generates a random number A in step S1001. In step S1002, the generation unit 157 generates the key K1. In step S1003, the encryption unit 155 encrypts the random number A with the key K1. That is, the following equation is calculated. eK1 (A) means that the random number A is encrypted with the key K1.
Token BA = eK1 (A) (7)

  In step S <b> 1004, the transmission unit 156 transmits information I <b> 1 to the information processing apparatus 111. That is, the information I1 is transmitted to the information processing apparatus 111 via the antenna unit 151. The information I1 includes the information Token BA calculated by Expression (7).

  In the information processing apparatus 111, the reception unit 122 receives the information I1 transmitted from the information processing apparatus 141 via the antenna unit 121 in step S1051. In step S1052, the generation unit 127 generates a key K1. In step S1053, the decryption unit 123 decrypts the information I1 with the key K1. Thereby, the decryption unit 123 acquires the random number A in step S1054.

In step S1055, the generation unit 127 generates the key K2. In step S1056, the generation unit 127 generates a random number C. In step S1057, the generation unit 128 generates a key K2C. That is, according to the following formula, the random number C is applied to the fixed key K2 to generate the key K2C.
K2C = f (C, K2) (8)

  Since the random number C changes every time, the key K2C calculated by applying the random number C to the fixed key K2 is a time-varying key that changes every time. Therefore, the random number C is a random number as basic information that is the basis of time-varying of the time-varying key.

In step S1058, the encryption unit 125 encrypts the random number A with the key K2C. That is, the following equation is calculated.
Token AB = eK2C (A) (9)

  In step S1059, the transmission unit 126 transmits information I2 to the information processing apparatus 141. That is, the information I2 is transmitted to the information processing apparatus 141 via the antenna unit 121. The information I2 includes the information Token AB calculated by Expression (9) and the random number C generated in step S1056.

In the information processing apparatus 141, the reception unit 152 receives the information I2 transmitted from the information processing apparatus 111 via the antenna unit 151 in step S1005. In step S1006, the generation unit 157 generates the key K2. In step S1007, the generation unit 158 extracts the random number C from the information I2 received in step S1005. In step S1008, the generation unit 158 generates a key K2C. That is, the following equation is calculated.
K2C = f (C, K2) (10)

  In step S1009, the decryption unit 153 as the authentication information generation unit performs a process of generating authentication information for performing authentication determination in later step S1011. Specifically, in this embodiment, the decryption unit 153 decrypts the information I2 with the key K2C. Thereby, the decryption unit 153 acquires the random number A in step S1010.

  In step S <b> 1011, the authentication unit 154 performs authentication based on the consistency of the random number A. That is, it is determined whether or not the random number A generated in step S1001 and encrypted and transmitted to the information processing apparatus 111 in step S1003 matches the random number A acquired in step S1010. The keys K1 and K2 are secret keys held only by the authorized information processing apparatus 111. Therefore, when the information processing apparatus 111 is a legitimate information processing apparatus, the two random numbers A match. On the other hand, when the information processing apparatus 111 is not a legitimate information processing apparatus, the two random numbers A do not match because they do not have the key K1 and the key K2. Therefore, the information processing apparatus 141 can authenticate the information processing apparatus 111 from the coincidence of two random numbers.

  As described above, the information processing apparatus 141 authenticates the information processing apparatus 111.

  FIG. 11 shows the exchange of information between the two devices in the above processing. That is, the information I1 is transmitted from the information processing apparatus 141 to the information processing apparatus 111 in step S1154, and the information I2 is transmitted from the information processing apparatus 111 to the information processing apparatus 141 together with the random number C in step S1189.

  In step S1154, the information processing apparatus 141 supplies the same information I1 to the information processing apparatus 111 a plurality of times, and in step S1155, information processing result information I2 can be obtained. However, the information I2 as the processing result is calculated by the time-varying key K2C that changes every time. Therefore, even if a large number of processing results are collected and analyzed by a DFA attack, the key that processed the data cannot be identified. In other words, it can defend against DFA attacks.

  Next, the bidirectional authentication processing of the first method will be described with reference to the flowcharts of FIGS.

  First, the information processing apparatus 141 performs processing for authenticating the information processing apparatus 111. This process is substantially the same as the process of FIG.

That is, the generation unit 157 of the information processing apparatus 141 generates a random number A in step S1151. In step S1152, the generation unit 157 generates a key K1. In step S1153, the encryption unit 155 encrypts the random number A with the key K1. That is, the following equation is calculated.
Token BA = eK1 (A) (11)

  In step S <b> 1154, the transmission unit 156 transmits information I <b> 1 to the information processing apparatus 111. The information I1 includes the information Token BA calculated by Expression (11).

  In the information processing apparatus 111, the receiving unit 122 receives the information I1 transmitted from the information processing apparatus 141 in step S1181. In step S1182, the generation unit 127 generates the key K1. In step S1183, the decryption unit 123 decrypts the information I1 with the key K1. Thereby, the decryption unit 123 acquires the random number A in step S1184.

In step S1185, the generation unit 127 generates the key K2. In step S1186, the generation unit 127 generates a random number C. In step S1187, the generation unit 128 generates a key K2C. That is, according to the following formula, the random number C is applied to the fixed key K2 to generate the key K2C.
K2C = f (C, K2) (12)

In step S1188, the encryption unit 125 encrypts the random number A with the key K2C. That is, the following equation is calculated.
Token AB = eK2C (A) (13)

  In step S1189, the transmission unit 126 transmits the information I2 to the information processing device 141. The information I2 includes the information Token AB calculated by Expression (13) and the random number C generated in step S1186.

In the information processing apparatus 141, the reception unit 152 receives the information I2 transmitted from the information processing apparatus 111 in step S1155. In step S1156, the generation unit 157 generates the key K2. In step S1157, the generation unit 158 extracts the random number C from the information I2 received in step S1155. In step S1158, the generation unit 158 generates a key K2C. That is, the following equation is calculated.
K2C = f (C, K2) (14)

  In step S1159, the decryption unit 153 serving as an authentication information generation unit performs processing for generating authentication information for performing authentication determination in later step S1161. Specifically, in this embodiment, the decryption unit 153 decrypts the information I2 with the key K2C. Thereby, the decryption unit 153 acquires the random number A in step S1160.

  In step S1161, the authentication unit 154 performs authentication based on the consistency of the random number A. That is, it is determined whether or not the random number A generated in step S1151 and encrypted and transmitted to the information processing apparatus 111 in step S1153 matches the random number A acquired in step S1160. The keys K1 and K2 are secret keys held only by the authorized information processing apparatus 111. Therefore, when the information processing apparatus 111 is a legitimate information processing apparatus, the two random numbers A match. On the other hand, when the information processing apparatus 111 is not a legitimate information processing apparatus, the two random numbers A do not match because they do not have the key K1 and the key K2. Therefore, the information processing apparatus 141 can authenticate the information processing apparatus 111 from the coincidence of two random numbers.

  When the information processing apparatus 141 authenticates the information processing apparatus 111 as described above, processing for the information processing apparatus 111 to authenticate the information processing apparatus 141 is performed next.

That is, in the information processing apparatus 111, the generation unit 127 generates a random number B in step S1190. In step S1191, the encryption unit 125 encrypts the random number B with the key K2C. That is, the following equation is calculated.
Token AB = eK2C (B) (15)

  In step S1192, the transmission unit 126 transmits the information I3 to the information processing device 141. The information I3 includes the information Token AB calculated by Expression (15) and the random number B generated in step S1190.

  In the information processing apparatus 141, the reception unit 152 receives the information I3 transmitted from the information processing apparatus 111 in step S1162. In step S1163, the decryption unit 153 decrypts the information I3 with the key K2C. The key K2C has been generated in step S1158. Since the information I3 includes information obtained by encrypting the random number B with the key K2C in step S1191, the decrypting unit 153 acquires the random number B in step S1164.

In step S1165, the encryption unit 155 encrypts the random number B with the key K1. That is, the following equation is calculated.
Token BA = eK1 (B) (16)

  In step S <b> 1166, the transmission unit 156 transmits information I <b> 4 to the information processing apparatus 111. The information I4 includes the information Token BA calculated by the equation (16).

  In the information processing apparatus 111, the reception unit 122 receives the information I4 transmitted from the information processing apparatus 141 in step S1193. In step S1194, the decryption unit 123 serving as an authentication information generation unit performs processing for generating authentication information for performing authentication determination in later step S1196. Specifically, in the case of this embodiment, the decryption unit 123 decrypts the information I4 with the key K1. Thereby, the decryption unit 123 acquires the random number B in step S1195. The key K1 has been generated in step S1182.

  In step S1196, the authentication unit 124 performs authentication based on the consistency of the random number B. That is, it is determined whether the random number B encrypted in step S1191 and transmitted to the information processing apparatus 141 matches the random number B acquired in step S1195. The keys K1 and K2 are secret keys held only by the legitimate information processing apparatus 141. Therefore, when the information processing device 141 is a regular information processing device, the two random numbers B match. On the other hand, when the information processing device 141 is not a regular information processing device, the two random numbers B do not match because they do not have the key K1 and the key K2. Therefore, the information processing apparatus 111 can authenticate the information processing apparatus 141 from the coincidence of two random numbers. The authentication result is transmitted to the information processing apparatus 141.

  In the embodiment shown in FIGS. 12 and 13, the information I4 is decrypted in step S1194 to obtain a random number B, and authentication is performed based on the random number B based on the consistency in step S1196. Authentication can also be performed in an encrypted state. An embodiment in this case is shown in FIGS.

  The processing of the information processing apparatus 141 in steps S1221 to S1236 in FIGS. 14 and 15 is the same as the processing in steps S1151 to S1166 in FIGS. Further, the processing of the information processing apparatus 111 from steps S1261 to S1272 in FIGS. 14 and 15 is the same as the processing from steps S1181 to S1192 in FIGS. The processing in steps S1273 to S1276 in FIG. 15 is different from the processing in steps S1194 to S1196 in FIG.

That is, in the embodiment of FIG. 14 and FIG. 15, the encryption unit 125 of the information processing apparatus 111 as the authentication information generation unit generates authentication information for performing authentication determination in the subsequent step S1276 in step S1273. Process. Specifically, in the case of this embodiment, the encryption unit 125 encrypts the random number B with the key K1. That is, the following equation is calculated. The key K1 has been generated in step S1262.
Token AB = eK1 (B) (17)

  Accordingly, in step S1274, the generation unit 127 acquires information I4. The information I4 includes the information Token AB calculated by the equation (17), that is, the random number B encrypted with the key K1.

  In step S1275, the reception unit 122 receives the information I4 transmitted from the information processing apparatus 141. This information I4 includes the random number B encrypted with the key K1 in step S1235. Accordingly, in step S1276, authentication can be performed based on the consistency of the information I4 (encrypted random number B). That is, if the information I4 (encrypted random number B) acquired in step S1274 matches the information I4 (encrypted random number B) received in step S1275, the information processing apparatus 141 has been authenticated. become.

  As described above, the random number B in the unencrypted state is compared in step S1196 in FIG. 13, while the random number B in the encrypted state is compared in step S1276 in FIG. .

<3. Second Embodiment>
Next, the second method of authentication processing will be described. In the authentication process of the second method, a random number used for authentication is not encrypted and is transmitted from the authenticating device to the authenticating device.

  First, a one-way authentication process will be described with reference to FIG. In the case of this embodiment, the information processing apparatus 141 authenticates the information processing apparatus 111.

  In step S2101, the generation unit 157 of the information processing device 141 generates a random number RB. In step S2102, the transmission unit 156 transmits the random number RB received from the generation unit 157. That is, the random number RB is supplied to the information processing apparatus 111 via the antenna unit 151.

  In step S <b> 2121, the reception unit 122 of the information processing apparatus 111 receives the random number RB transmitted from the information processing apparatus 141 via the antenna unit 121. In step S2122, the generating unit 127 generates a random number RC and a key KAB. This random number RC is basic information that serves as a basis for time-varying the key KC, which is a time-varying key, in the processing of the next step S2123. The key KAB is a secret key that is held in advance only in the authorized information processing apparatus 111.

In step S2123, the generation unit 128 calculates the key KC from the random number RC and the key KAB. That is, the following calculation is performed.
KC = f (RC, KAB) (18)

  Since the random number RC changes every time, the key KC calculated by applying the random number RC to the fixed key KAB becomes a time-varying key that changes every time.

In step S2124, the encryption unit 125 encrypts the random number RB with the key KC. That is, the following equation is calculated.
Token AB = eKC (RB) (19)

  In step S2125, the transmission unit 126 transmits the information Token AB generated by the encryption unit 125 and the random number RC generated by the generation unit 127 to the information processing apparatus 141. That is, the information Token AB calculated by the equation (19) and the random number RC generated in step S2122 are transmitted from the antenna unit 121 to the information processing apparatus 141.

  The receiving unit 152 of the information processing device 141 receives the information Token AB and the random number RC from the information processing device 111 via the antenna unit 151 in step S2103. In step S2104, the generation unit 157 generates a key KAB. This key KAB is the same secret key as the key KAB generated by the information processing apparatus 111 in step S2122. This key KAB is held in advance only in the authorized information processing apparatus 141.

  In step S2105, the generation unit 158 calculates a key KC from the random number RC and the key KAB according to the following equation.

KC = f (RC, KAB) (20)
The random number RC is received from the information processing apparatus 111 in step S2103, and the key KAB is generated in step S2104.

  In step S2106, the decryption unit 153 as the authentication information generation unit performs processing for generating authentication information for performing authentication determination in the next step S2107. Specifically, in the case of this embodiment, the decryption unit 153 decrypts the information Token AB received from the information processing apparatus 111 in step S2103 with the key KC. As described above, since the information token 111 is obtained by encrypting the random number RB with the key KC by the information processing apparatus 111 in step S2124, the decryption process obtains the random number RB as information for performing the authentication determination. It is done.

  In step S2107, the authentication unit 154 determines whether the decryption result matches the random number RB. That is, the random number RB obtained by decrypting in step S2106 and the random number RB generated in step S2101 are compared to determine whether they match.

  If the information processing device 111 is a legitimate information processing device, it has the correct fixed key KAB, so the key KC generated by the information processing device 111 acting on the key KAB with the random number RB is information The value is the same as the key KC generated by the processing device 141 in step S2105. Therefore, in this case, the two random numbers RB match. Therefore, at this time, in step S2109, the authentication unit 154 executes authentication success processing of the information processing apparatus 111.

  On the other hand, when the information processing apparatus 111 is an unauthorized information processing apparatus, the correct key KAB is not held. As a result, the two random numbers RB do not match. Therefore, in this case, in step S2108, the authentication unit 154 executes an authentication failure process of the information processing apparatus 111.

  The information processing apparatus 141 can supply the same data to the information processing apparatus 111 a plurality of times in step S2102, and obtain a processing result for the data in step S2103. However, the processing result is calculated by the time-varying key KC that changes every time. Therefore, even in this embodiment, even if a large number of processing results are collected and analyzed by a DFA attack using an unauthorized information processing apparatus 141, the key that processed the data cannot be specified.

  Next, a two-way bidirectional authentication process will be described with reference to the flowchart of FIG.

  In step S2301, the generation unit 157 of the information processing device 141 generates a random number RB. In step S2302, the transmission unit 156 transmits the random number RB to the information processing apparatus 111.

In the information processing apparatus 111, the receiving unit 122 receives the random number RB transmitted from the information processing apparatus 141 in step S2321. In step S2322, the generating unit 127 generates random numbers RA and RC and a key KAB. In step S2323, the generation unit 128 calculates the key KC from the random number RC and the key KAB as basic information that is the basis of the time-varying key. That is, the following equation is calculated to generate a key KC that is a time-varying key.
KC = f (RC, KAB) (21)

In step S2324, the encryption unit 125 encrypts the random number RA and the random number RB with the key KC. That is, the combination (RA || RB) of the random number RA generated in step S2322 and the random number RB received from the information processing apparatus 141 is encrypted according to the following equation.
Token AB = eKC (RA || RB) (22)

  In step S2325, the transmission unit 126 transmits the information Token AB and the random number RC to the information processing apparatus 141. The information Token AB is a value represented by Expression (22), and the random number RC is the value generated in step S2322.

  In the information processing apparatus 141, the reception unit 152 receives the information Token AB and the random number RC from the information processing apparatus 111 in step S2303. In step S2304, the generation unit 157 generates a key KAB.

In step S2305, the generation unit 158 calculates a key KC from the random number RC and the key KAB. That is, the following equation is calculated to generate a key KC that is a time-varying key.
KC = f (RC, KAB) (23)

  In step S2306, the decryption unit 153 as the authentication information generation unit performs processing for generating authentication information for performing authentication determination in the next step S2307. Specifically, in the case of this embodiment, the decryption unit 153 decrypts the information Token AB, which is the information received from the information processing apparatus 111 in step S2303, with the key KC. As described above, since the information processing apparatus 111 encrypts the combination of the random number RA and the random number RB (RA || RB) with the key KC in step S2324, the information Token AB is combined by this decryption process. (RA || RB) is obtained.

  In step S2307, the authentication unit 154 determines whether the decryption result matches the random number RB. However, in this case, only the random number RB is extracted from the combination (RA || RB) obtained as a decryption result, is used as a comparison target, is generated in step S2301, and is transmitted to the information processing apparatus 111 in step S2302. Compared with random number RB. The extracted random number RA is used in the process of step S2310 described later.

  If the information processing device 111 is a legitimate information processing device, it has the correct fixed key KAB, so the key KC generated by the information processing device 111 acting on the key KAB with the random number RB is information The value is the same as the key KC generated by the processing device 141 in step S2305. Therefore, in this case, the two random numbers RB match.

  However, when the information processing apparatus 111 is an unauthorized information processing apparatus, the correct key KAB is not held. As a result, the two random numbers RB do not match. Therefore, in this case, in step S2308, the authentication unit 154 executes an authentication failure process of the information processing apparatus 111.

  If the two random numbers RB match, the authentication unit 154 executes authentication success processing of the information processing apparatus 111 in step S2309. In this way, the information processing apparatus 141 authenticates the information processing apparatus 111.

  The information processing apparatus 141 can supply the same data to the information processing apparatus 111 a plurality of times in step S2302 and obtain a processing result for the data in step S2303. However, the processing result is calculated by the time-varying key KC that changes every time. Therefore, even if a large number of processing results are collected and analyzed by a DFA attack using an unauthorized information processing apparatus 141, the key that processed the data cannot be specified.

  Further, in order to cause the information processing apparatus 111 to authenticate the information processing apparatus 141, the following processing is executed.

In step S2310, the encryption unit 155 encrypts the random number RB and the random number RA with the key KC. That is, the combination (RB || RA) of the random number RB transmitted to the information processing apparatus 111 in step S2302 and the random number RA received from the information processing apparatus 111 is encrypted according to the following equation.
Token BA = eKC (RB || RA) (24)

  In step S2324, Token AB obtained by encrypting the combination (RA || RB) of random number RA and random number RB with key KC according to equation (22), and random number RB according to equation (24) in step S2310. The Token BA obtained by encrypting the combination (RB || RA) of the random number RA with the key KC has a different value because the order of the random number RA and the random number RB is different.

  In step S2311, the transmission unit 156 transmits the information Token BA calculated by Expression (24) to the information processing apparatus 111.

  In the information processing apparatus 111, the reception unit 122 receives the information Token BA from the information processing apparatus 141 in step S2326. In step S2327, the decryption unit 123 serving as an authentication information generation unit performs processing for generating authentication information for performing authentication determination in the next step S2328. Specifically, in the case of this embodiment, the decryption unit 123 decrypts the information Token BA, which is the information received from the information processing apparatus 141 in step S2326, with the key KC. As described above, since the information processing device 141 encrypts the combination of the random number RB and the random number RA (RB || RA) with the key KC in step S2310, the information Token BA is combined by this decryption process. (RB || RA) is obtained.

  In step S2328, the authentication unit 124 determines whether the decryption result matches the random number RA and the random number RB. In other words, in this case, both the random number RA and the random number RB are extracted from the combination (RB || RA) obtained as a decryption result, are compared, and are included in the information Token AB and transmitted to the information processing apparatus 141 in step S2325. The random number RA and the random number RB are compared with the values before being encrypted by the equation (22).

  If the information processing device 141 is a legitimate information processing device, it has the correct fixed key KAB, so the key KC generated by the information processing device 141 acting on the key KAB with the random number RC is the information The processing device 111 has the same value as the key KC generated in step S2323. Therefore, in this case, the two sets of random numbers RA and random numbers RB match.

  However, when the information processing apparatus 141 is an unauthorized information processing apparatus, the correct key KAB is not held. As a result, the two sets of random numbers RA and random numbers RB do not match. Therefore, in this case, in step S2329, the authentication unit 124 executes an authentication failure process of the information processing apparatus 141.

  If the two sets of random numbers RA and RB match, the authentication unit 124 executes authentication success processing of the information processing apparatus 141 in step S2330.

  In the embodiment of FIG. 17, the random number RA and the random number RB are compared in step S2328. However, the random number RA and the random number RB can be compared in an encrypted state. An embodiment in this case is shown in FIG.

  The processing of the information processing apparatus 141 in steps S2361 to S2371 in FIG. 18 is the same as the processing in steps S2301 to S2311 in FIG. Also, the processing of the information processing apparatus 111 from step S2391 to S2395 in FIG. 18 is the same as the processing from step S2321 to S2325 in FIG. The processing in steps S2396 to S2400 in FIG. 18 is different from the processing in steps S2326 to S2330 in FIG.

That is, the following processing is performed in the embodiment of FIG. In the information processing apparatus 111, the encryption unit 125 as the authentication information generation unit in step S2396 performs in advance a process of generating authentication information necessary for performing the authentication process in later step S2398. Specifically, in this embodiment, since the comparison with the information Token BA received from the information processing apparatus 141 in step S2398 is performed, the encryption unit 125 combines the random number RB and the random number RA according to the following equation: (RB || RA) is encrypted with the key KC, and an expected value Answer BA is generated.
Answer BA = eKC (RB || RA) (25)

  In step S2397, the reception unit 122 receives the information Token BA transmitted from the information processing apparatus 141. This information Token BA is generated in step S2370, and is a combination of the random number RB and the random number RA (RB || RA) encrypted with the key KC.

  In step S2398, the authentication unit 124 determines whether the information Token BA received from the information processing apparatus 141 in step S2397 matches the expected value Answer BA generated in step S2396.

  If the information processing apparatus 141 is a legitimate information processing apparatus, the information processing apparatus 141 has the correct fixed key KAB. Therefore, in step S2365, the information processing apparatus 141 generates a key KC generated by applying the random number RC to the key KAB. Is the same value as the key KC generated by the information processing apparatus 111 in step S2393. Therefore, in this case, the information Token BA matches the expected value Answer BA.

  However, when the information processing apparatus 141 is an unauthorized information processing apparatus, the correct key KAB is not held. As a result, the information Token BA does not match the expected value Answer BA. Therefore, in this case, in step S2399, the authentication unit 124 executes an authentication failure process of the information processing apparatus 141.

  If the information Token BA matches the expected value Answer BA, the authentication unit 124 executes authentication success processing of the information processing apparatus 141 in step S2400.

  In the embodiment of FIG. 17, the random number RB is set as the comparison target in step S2307. In step S2328, the random number RA and the random number RB are also compared. This comparison target may be a random number that remains encrypted. An embodiment in this case is shown in FIG.

  The processing of the information processing device 141 in steps S2501 to S2511 in the embodiment of FIG. 19 is basically the same as the processing of the information processing device 141 in steps S2301 to S2311 of FIG. 17, but step S2503 of FIG. The processing of S2506 and S2507 is different from the processing of steps S2303, S2306, and S2307 in FIG.

  Further, the processing of the information processing apparatus 111 in steps S2531 to S2540 in FIG. 19 is basically the same as the processing of the information processing apparatus 111 in steps S2321 to S2330 in FIG. 17, but steps S2535, S2537, and S2538 in FIG. This processing is different from the processing in steps S2325, S2327, and S2328 in FIG.

  That is, in the case of the embodiment of FIG. 19, the transmission unit 126 of the information processing apparatus 111 transmits not only the information Token AB and the random number RC but also the random number RA in step S2535. The information Token AB is generated by the encryption unit 125 in step S2534, and is a combination of the random number RA and the random number RB (RA || RB) encrypted with the key KC.

In the information processing apparatus 141, in step S2503, the receiving unit 152 receives not only the information Token AB and the random number RC but also the random number RA. In step S2504, the generation unit 157 generates a key KAB. In step S2505, the generation unit 158 generates a key KC by applying a random number RC to the key KAB based on the following equation.
KC = f (RC, KAB) (26)

In step S2506, the encryption unit 155 serving as an authentication information generation unit performs processing for generating authentication information necessary for performing authentication processing in later step S2507. Specifically, in this embodiment, since the comparison with the information Token AB received from the information processing apparatus 111 is performed in step S2507, the encryption unit 155 combines the random number RA and the random number RB (RA || RB) is encrypted with the key KC, and information Token AB is generated. That is, the following equation is calculated.
Token AB = eKC (RA || RB) (27)

  In step S2507, the authentication unit 154 determines whether the encryption result obtained in step S2506 matches the information Token AB received from the information processing apparatus 111 in step S2503. If the information Token AB calculated by Expression (27) and the information Token AB received from the information processing apparatus 111 do not match, authentication failure processing of the information processing apparatus 111 is executed in step S2508. On the other hand, when the information Token AB calculated by Expression (27) matches the information Token AB received from the information processing apparatus 111, an authentication success process of the information processing apparatus 111 is executed in step S2509.

Further, in order to cause the information processing apparatus 111 to authenticate the information processing apparatus 141, in step S2510, the encryption unit 155 encrypts the random number RB and the random number RA with the key KC. That is, the combination (RB || RA) of the random number RB generated in step S2501 and the random number RA received from the information processing apparatus 111 is encrypted according to the following equation.
Token BA = eKC (RB || RA) (28)

  In step S2511, the transmission unit 156 transmits the information Token BA calculated by Expression (28) to the information processing apparatus 111.

In the information processing apparatus 111, the reception unit 122 receives the information Token BA from the information processing apparatus 141 in step S2536. In step S2537, the encryption unit 125 as an authentication information generation unit performs processing for generating authentication information for performing authentication determination in the next step S2538. Specifically, in the case of this embodiment, the combination (RB || RA) of the random number RB received from the information processing apparatus 141 in step S2531 and the random number RA transmitted to the information processing apparatus 141 in step S2535 is used as a key. Processing for encryption with KC is performed.
That is, the following equation is calculated.
Token BA = eKC (RB || RA) (29)

  In step S2538, the authentication unit 124 matches the encryption result of step S2537 (that is, the information token BA calculated according to the equation (29) in step S2537) and the information token BA received from the information processing apparatus 141 in step S2536. Judge whether to do. If the two pieces of information Token BA do not match, the authentication unit 124 executes an authentication failure process of the information processing apparatus 141 in step S2539.

  If the two pieces of information Token BA match, the authentication unit 124 executes authentication success processing of the information processing apparatus 141 in step S2540.

  The other processes are the same as those in FIG.

  In the embodiment of FIG. 19, after receiving the information Token BA from the information processing apparatus 141 in step S2536, the random number RB and the random number RA are encrypted with the key KC in step S2537, but the receiving process in step S2536 is performed. It can also be encrypted before An embodiment in this case is shown in FIG.

  The processing of the information processing apparatus 141 in steps S2551 to S2561 in the embodiment of FIG. 20 is the same as the processing of the information processing apparatus 141 in steps S2501 to S2511 of FIG. The processing of the information processing apparatus 111 in steps S2581 to S2590 in FIG. 20 is basically the same as the processing of the information processing apparatus 111 in steps S2531 to S2540 in FIG. 19, but corresponds to the processing in step S2537 in FIG. The difference is that the process of step S2586 of 20 is performed before the process of step S2587 of FIG. 20 corresponding to the process of step S2536 of FIG.

That is, in the embodiment of FIG. 20, before the information Token BA from the information processing apparatus 141 is received in step S2587, the encryption unit 125 performs encryption processing according to the following equation in step S2586.
Answer BA = eKC (RB || RA) (30)

  In step S2588, the information token BA received in step S2588 is compared with the answer BA generated in step S2586. If they do not match, authentication failure processing of the information processing device 141 is performed in step S2589, and if they match, authentication success processing of the information processing device 141 is performed in step S2590.

  Other processes are the same as those in FIG.

<4. Third Embodiment>
Next, the bidirectional authentication process of the third method will be described. In the bidirectional authentication processing of the third method, a random number used for authentication is encrypted and transmitted from the authenticating device to the authenticating device. In the third type of authentication process, two types of random number Ra and random number Rb and two types of fixed key Ka and fixed key Kb are used.

  FIG. 21 is a flowchart for explaining bidirectional authentication processing of the third method.

In the information processing apparatus 141, the generation unit 157 generates a random number Ra and a fixed key Ka in step S3101. In step S3102, the encryption unit 155 encrypts the random number Ra with the fixed key Ka to generate information M1. That is, the following equation is calculated.
M1 = eKa (Ra) (31)

  In step S <b> 3103, the transmission unit 156 transmits information M <b> 1 to the information processing apparatus 111. That is, the information M1 is transmitted to the information processing apparatus 111 via the antenna unit 151.

  In the information processing apparatus 111, the reception unit 122 receives the information M <b> 1 transmitted from the information processing apparatus 141 via the antenna unit 121 in step S <b> 3151. In step S3152, the generation unit 127 generates a fixed key Ka and supplies it to the decryption unit 123. The decryption unit 123 obtains the random number Ra by decrypting the information M1 with the fixed key Ka.

In step S3153, the generation unit 127 generates a random number Rb and a fixed key Kb. In step S3154, the encryption unit 125 calculates the exclusive OR (XOR: exclusive or) of the random number Ra and the random number Rb, and further encrypts the calculation result with the fixed key Kb to generate the information M2. That is, the following equation is calculated.
M2 = eKb (Ra XOR Rb) (32)

In step S3155, the encryption unit 125 generates information M3 by encrypting the random number Rb with the fixed key Kb. That is, the following equation is calculated.
M3 = eKb (Rb) (33)

  In step S3156, the transmission unit 126 transmits the information M2 to the information processing device 141. That is, the information M2 is transmitted to the information processing apparatus 141 via the antenna unit 121. In step S3157, the transmission unit 126 transmits the information M3 to the information processing device 141. That is, the information M3 is transmitted to the information processing apparatus 141 via the antenna unit 121.

  Note that the information M2 and the information M3 may be transmitted to the information processing apparatus 141 at the same time.

  In the information processing apparatus 141, the reception unit 152 receives the information M2 transmitted from the information processing apparatus 111 via the antenna unit 151 in step S3104. In step S3105, the generation unit 157 generates the key Kb and supplies it to the decryption unit 153. The decryption unit 153 decrypts the information M2 with the fixed key Kb, thereby obtaining an exclusive OR (Ra XOR Rb) of the random number Ra and the random number Rb, and outputs it to the authentication unit 154.

  In step S <b> 3106, the reception unit 152 receives the information M <b> 3 transmitted from the information processing apparatus 111 via the antenna unit 151. In step S3107, the decryption unit 153 obtains the random number Rb by decrypting the information M3 with the fixed key Kb, and outputs the random number Rb to the authentication unit 154.

In step S3108, the encryption unit 155 calculates the random number Ra by calculating the exclusive OR of the random number Ra and the random number Rb (Ra XOR Rb) and the random number Rb in accordance with the control from the authentication unit 154. To get. That is, the following equation is calculated.
Ra = (Ra XOR Rb) XOR Rb (34)

  In step S3109, the authentication unit 154 performs authentication based on the consistency of the random number Ra. Specifically, it is determined whether the random number Ra generated in step S3101 matches the random number Ra acquired in step S3108. The fixed key Ka and the fixed key Kb are secret keys held only by the regular information processing apparatus 111. Therefore, when the information processing apparatus 111 is a legitimate information processing apparatus, the two random numbers Ra match. In this case, the authentication unit 154 executes authentication success processing of the information processing apparatus 111 in step S3111.

  On the other hand, when the information processing apparatus 111 is not a legitimate information processing apparatus, the two random numbers Ra do not match because the fixed key Ka and the fixed key Kb are not provided. In this case, the authentication unit 154 executes authentication failure processing of the information processing apparatus 111 in step S3110.

  Further, in order to cause the information processing apparatus 111 to authenticate the information processing apparatus 141, the following processing is executed.

In step S3112, the encryption unit 155 generates information M4 by encrypting the exclusive OR (Ra XOR Rb) of the random number Ra and the random number Rb with the fixed key Ka according to the control from the authentication unit 154. That is, the following equation is calculated.
M4 = eKa (Ra XOR Rb) (35)

  In step S <b> 3113, the transmission unit 156 transmits information M <b> 4 to the information processing apparatus 111. That is, the information M4 is transmitted to the information processing apparatus 111 via the antenna unit 151.

  In the information processing apparatus 111, the reception unit 122 receives the information M4 transmitted from the information processing apparatus 141 via the antenna unit 121 in step S3158. In step S3159, the decryption unit 123 decrypts the information M4 with the fixed key Ka, thereby obtaining an exclusive OR (Ra XOR Rb) of the random number Ra and the random number Rb and outputs it to the authentication unit 124.

In step S3160, the encryption unit 125 calculates the random number Rb by calculating the exclusive OR of the random number Ra and the random number Rb (Ra XOR Rb) and the random number Ra in accordance with the control from the authentication unit 124. To get. That is, the following equation is calculated.
Rb = (Ra XOR Rb) XOR Ra (36)

  In step S3161, the authentication unit 124 performs authentication based on the consistency of the random number Rb. Specifically, it is determined whether the random number Rb generated in step S3153 matches the random number Rb acquired in step S3160. The fixed key Ka and the fixed key Kb are secret keys held only by the regular information processing apparatus 141. Therefore, when the information processing device 141 is a regular information processing device, the two random numbers Rb match. In this case, the authentication unit 124 executes authentication success processing of the information processing apparatus 141 in step S3163.

  On the other hand, when the information processing apparatus 141 is not a regular information processing apparatus, the two random numbers Rb do not match because they do not have the fixed key Ka and the fixed key Kb. In this case, the authentication unit 124 executes authentication failure processing of the information processing apparatus 141 in step S3162. The information processing apparatus 141 is also authenticated from the information processing apparatus 111 as described above.

  According to the bidirectional authentication processing of the third method described above, since the secret keys (fixed keys Ka and Kb) held in advance are used for encryption and decryption, there is no need to generate a time-varying key. Further, each of the information processing device 111 and the information processing device 141 can complete the number of generated random numbers once.

  For the purpose of hacking, even if the same information M1 is supplied to the information processing apparatus 111 a plurality of times and the processing result information M2 for the information M1 is obtained a plurality of times, the information M2 as the processing result is It is calculated using a random number Rb that changes every time. Therefore, even if a large number of processing results are collected and analyzed by a DFA attack, the key that processed the data cannot be identified. In other words, it can defend against DFA attacks.

  In the embodiment of FIG. 21, information M2 is generated by encrypting the operation value of the exclusive OR in step S3154 and using the fixed key Kb, and this information M2 is generated by the fixed key Kb in step S3105. An operation value of exclusive OR is obtained by decoding. Further, the information M3 is generated by encrypting the random number Rb using the fixed key Kb in step S3155, and the random number Rb is obtained by decrypting the information M3 with the fixed key Kb in step S3107. The relationship between encryption and decryption can be interchanged. An embodiment in this case is shown in FIG.

  The processing of the information processing apparatus 141 in steps S3201 to S3213 in the embodiment of FIG. 22 is basically the same as the processing of the information processing apparatus 141 in steps S3101 to S3113 of FIG. 21, but step S3205 of FIG. The process of S3207 is different from the processes of steps S3105 and S3107 of FIG.

  The processing of the information processing apparatus 111 in steps S3251 to S3263 in FIG. 22 is basically the same as the processing of the information processing apparatus 111 in steps S3151 to S3163 in FIG. 21, but the processing in steps S3254 and S3255 in FIG. However, this is different from the processing in steps S3154 and S3155 of FIG.

That is, in the case of the embodiment of FIG. 22, in the information processing apparatus 111, in step S3254, the encryption unit 125 calculates the exclusive OR (XOR: exclusive or) of the random number Ra and the random number Rb, The decryption unit 123 decrypts using the fixed key Kb, thereby generating information M2. That is, the following equation is calculated. For example, dK (A) represents that the value A is decrypted with the key K.
M2 = dKb (Ra XOR Rb) (37)

In step S3155, the decryption unit 123 decrypts the random number Rb using the fixed key Kb, thereby generating information M3. That is, the following equation is calculated.
M3 = dKb (Rb) (38)

  In the information processing apparatus 141, the generation unit 157 generates the key Kb and supplies it to the encryption unit 155 in step S3205. The encryption unit 155 encrypts the information M2 with the fixed key Kb, thereby obtaining an exclusive OR (Ra XOR Rb) of the random number Ra and the random number Rb, and outputs it to the authentication unit 154.

  In step S3207, the encryption unit 155 acquires the random number Rb by encrypting the information M3 with the fixed key Kb, and outputs the random number Rb to the authentication unit 154.

  Other processes are the same as those in FIG.

<5. Fourth Embodiment>
Next, a bidirectional authentication process of the fourth method will be described. In the bidirectional authentication processing of the fourth method, a random number used for authentication is encrypted and transmitted from the authenticating device to the authenticating device. In the fourth type of authentication process, two types of random numbers Ra and Rb and one type of fixed key Ka are used. Further, the generated random number Ra and random number Rb are used as an encryption key and a decryption key, respectively.

  FIG. 23 is a flowchart for explaining the bidirectional authentication processing of the fourth method.

In the information processing apparatus 141, the generation unit 157 generates a random number Ra and a fixed key Ka in step S3301. In step S3302, the encryption unit 155 encrypts the random number Ra with the fixed key Ka to generate information M1.
M1 = eKa (Ra) (39)

  In step S3303, the transmission unit 156 transmits the information M1 to the information processing apparatus 111. That is, the information M1 is transmitted to the information processing apparatus 111 via the antenna unit 151.

  In the information processing apparatus 111, the receiving unit 122 receives the information M <b> 1 transmitted from the information processing apparatus 141 via the antenna unit 121 in step S <b> 3351. In step S3352, the generation unit 127 generates a fixed key Ka and supplies it to the decryption unit 123. The decryption unit 123 obtains the random number Ra ′ by decrypting the information M1 with the fixed key Ka. If the fixed key Ka used in this decryption is the same as the fixed key Ka used at the time of encryption, the random number Ra 'is the same as the random number Ra.

In step S3353, the generation unit 127 generates a random number Rb. In step S3354, the encryption unit 125 generates information M2 by encrypting the random number Ra ′ using the random number Rb as a key. That is, the following equation is calculated.
M2 = eRb (Ra ′) (40)

In step S3355, the encryption unit 125 generates information M3 by encrypting the random number Rb with the fixed key Ka. That is, the following equation is calculated.
M3 = eKa (Rb) (41)

  In step S3356, the transmission unit 126 transmits the information M2 to the information processing device 141. That is, the information M2 is transmitted to the information processing apparatus 141 via the antenna unit 121.

  In step S3357, the transmission unit 126 transmits the information M3 to the information processing device 141. That is, the information M3 is transmitted to the information processing apparatus 141 via the antenna unit 121. Note that the information M2 and the information M3 may be transmitted to the information processing apparatus 141 at the same time.

  In the information processing apparatus 141, the receiving unit 152 receives the information M2 transmitted from the information processing apparatus 111 via the antenna unit 151 in step S3304. In step S <b> 3305, the information M <b> 3 transmitted from the information processing apparatus 111 is received via the antenna unit 151.

  In step S3306, the decryption unit 153 obtains a random number Rb ′ by decrypting the information M3 with the fixed key Ka. If the fixed key Ka used in the decryption is the same as the fixed key Ka used at the time of encryption, the random number Rb 'is the same as the random number Rb.

  In step S3307, the decryption unit 153 decrypts the information M2 using the random number Rb ′ as a key, and outputs the random number Ra ″ obtained as a result to the authentication unit 154.

  In step S3108, the authentication unit 154 performs authentication based on the consistency of the random number Ra. Specifically, it is determined whether or not the random number Ra generated in step S3301 matches the random number Ra ″ acquired in step S3107. Only the regular information processing apparatus 111 holds the fixed key Ka. Therefore, when the information processing apparatus 111 is a legitimate information processing apparatus, the random number Ra and the random number Ra ″ match. In this case, the authentication unit 154 executes authentication success processing of the information processing apparatus 111 in step S3310.

  On the other hand, if the information processing apparatus 111 is not a legitimate information processing apparatus, the random number Ra does not match the random number Ra ″ because it does not have the correct fixed key Ka. In this case, in this case, in step S3309. The authentication unit 154 executes an authentication failure process of the information processing apparatus 111.

  Further, in order to cause the information processing apparatus 111 to authenticate the information processing apparatus 141, the following processing is executed.

In step S3311, the encryption unit 155 generates information M4 by encrypting the random number Rb ′ using the random number Ra as a key in accordance with the control from the authentication unit 154. That is, the following equation is calculated.
M4 = eRa (Rb ′) (42)

  In step S <b> 3112, the transmission unit 156 transmits information M <b> 4 to the information processing apparatus 111. That is, the information M4 is transmitted to the information processing apparatus 111 via the antenna unit 151.

  In the information processing apparatus 111, the reception unit 122 receives the information M <b> 4 transmitted from the information processing apparatus 141 via the antenna unit 121 in step S <b> 3358. In step S3359, the decryption unit 123 decrypts the information M4 using the random number Ra ′ as a key, and outputs the random number Rb ″ obtained as a result to the authentication unit 124.

  In step S3360, the authentication unit 124 performs authentication based on the consistency of the random number Rb. Specifically, it is determined whether or not the random number Rb generated in step S3353 matches the random number Rb ″ acquired in step S3359. Only the regular information processing apparatus 141 holds the fixed key Ka. Therefore, when the information processing apparatus 141 is a legitimate information processing apparatus, the random number Rb and the random number Rb ″ match. In this case, the authentication unit 124 executes authentication success processing of the information processing apparatus 141 in step S3362.

  On the other hand, if the information processing apparatus 141 is not a legitimate information processing apparatus, the random number Rb and the random number Rb ″ do not match because they do not have the fixed key Ka. In this case, authentication is performed in step S3361. The unit 124 executes an authentication failure process of the information processing apparatus 141. As described above, the information processing apparatus 141 is also authenticated from the information processing apparatus 111.

  According to the bidirectional authentication process of the fourth method described above, the information processing apparatus 111 and the information processing apparatus 141 may hold one secret key (fixed key Ka) in advance. Further, each of the information processing device 111 and the information processing device 141 can complete the number of generated random numbers once.

  For the purpose of hacking, even if the same information M1 is supplied to the information processing apparatus 111 a plurality of times and the processing result information M2 for the information M1 is obtained a plurality of times, the information M2 as the processing result is This is encrypted using a random number Rb that changes every time as a key. Therefore, even if a large number of processing results are collected and analyzed by a DFA attack, the key that processed the data cannot be identified. In other words, it can defend against DFA attacks.

  In the embodiment of FIG. 23, information M1 is generated by encryption using the fixed key Ka in step S3302, and this information M1 is decrypted with the fixed key Ka in step S3352. In step S3311, the information M4 is generated by encryption using the random number Rb as a key, and the information M4 is decrypted using the random number Ra ′ as a key in step S3359. The relationship between encryption and decryption can be interchanged. An embodiment in this case is shown in FIG.

  The processing of the information processing apparatus 141 in steps S3401 to S3412 in the embodiment of FIG. 24 is basically the same as the processing of the information processing apparatus 141 in steps S3301 to S3312 of FIG. The process of S3411 is different from the processes of steps S3302 and S3311 of FIG.

  The processing of the information processing apparatus 111 in steps S3451 to S3462 in FIG. 24 is basically the same as the processing of the information processing apparatus 111 in steps S3351 to S3362 in FIG. 22, but the processing in steps S3452 and S3659 in FIG. However, this is different from the processing in steps S3352 and S3359 in FIG.

24, in the information processing apparatus 141, in step S3402, the decryption unit 153 decrypts the random number Ra with the fixed key Ka to generate information M1. That is, the following equation is calculated.
M1 = dKa (Ra) (43)

In step S3411, the decryption unit 153 decrypts the random number Rb ′ using the random number Ra, thereby generating information M4. That is, the following equation is calculated.
M4 = dRa (Rb ′) (44)

  In the information processing apparatus 111, the generation unit 127 generates the fixed key Ka and supplies it to the encryption unit 125 in step S3452. The encryption unit 125 obtains the random number Ra ′ by encrypting the information M1 with the fixed key Ka.

  In step S3359, the encryption unit 125 obtains the random number Rb ″ by encrypting the information M4 with the random number Ra ′.

  Other processes are the same as those in FIG.

<6. Fifth embodiment>
Next, the bidirectional authentication process of the fifth method will be described. In the bi-directional authentication process of the fifth method, a random number used for authentication is encrypted and transmitted from the authenticating device to the authenticating device. In the fifth type of authentication process, two types of random numbers Ra and Rb and one type of fixed key Ka are used. Further, the generated random number Ra and random number Rb are used as an encryption key and a decryption key, respectively. Furthermore, a conversion process F _R (X) using a random number R and an inverse conversion process F ⁻¹ _R (X) are used.

  FIG. 25 is a flowchart for explaining the bidirectional authentication processing of the fifth method.

In the information processing apparatus 141, the generation unit 157 generates a random number Ra and a fixed key Ka in step S3501. In step S3502, the encryption unit 155 encrypts the random number Ra with the fixed key Ka to generate information M1.
M1 = eKa (Ra) (45)

  In step S3503, the transmission unit 156 transmits the information M1 to the information processing apparatus 111. That is, the information M1 is transmitted to the information processing apparatus 111 via the antenna unit 151.

  In the information processing apparatus 111, the reception unit 122 receives the information M <b> 1 transmitted from the information processing apparatus 141 via the antenna unit 121 in step S <b> 3551. In step S3552, the generation unit 127 generates a fixed key Ka and supplies it to the decryption unit 123. The decryption unit 123 obtains the random number Ra ′ by decrypting the information M1 with the fixed key Ka. If the fixed key Ka used in this decryption is the same as the fixed key Ka used at the time of encryption, the random number Ra 'is the same as the random number Ra.

In step S3553, the generation unit 127 generates a random number Rb. In step S3554, the encryption unit 125 performs a conversion process F _Rb (X) using the random number Rb on the random number Ra ′. Further, in step S3554, the encryption unit 125 generates information M2 by encrypting the conversion processing result F _Rb (Ra ′) using the random number Rb as a key. That is, the following equation is calculated.
M2 = eRb (F _Rb (Ra ′)) (46)

In step S3556, the encryption unit 125 generates information M3 by encrypting the random number Rb with the fixed key Ka. That is, the following equation is calculated.
M3 = eKa (Rb) (47)

  In step S3557, the transmission unit 126 transmits the information M2 to the information processing device 141. That is, the information M2 is transmitted to the information processing apparatus 141 via the antenna unit 121.

  In step S3558, the transmission unit 126 transmits the information M3 to the information processing device 141. That is, the information M3 is transmitted to the information processing apparatus 141 via the antenna unit 121. Note that the information M2 and the information M3 may be transmitted to the information processing apparatus 141 at the same time.

  In the information processing apparatus 141, the receiving unit 152 receives the information M2 transmitted from the information processing apparatus 111 via the antenna unit 151 in step S3504. In step S3505, the information M3 transmitted from the information processing apparatus 111 is received via the antenna unit 151.

  In step S3506, the decrypting unit 153 obtains the random number Rb ′ by decrypting the information M3 with the fixed key Ka. If the fixed key Ka used in the decryption is the same as the fixed key Ka used at the time of encryption, the random number Rb 'is the same as the random number Rb.

In step S3507, the decryption unit 153 obtains the conversion processing result F _Rb (Ra ′) by decrypting the information M2 using the random number Rb ′ as a key, and supplies the result to the authentication unit 154. In step S3508, the encryption unit 155 performs inverse conversion processing F ⁻¹ _Rb (X) using the random number Rb ′ on the conversion processing result F _Rb (Ra ′) according to the control of the authentication unit 154, and the result is obtained. The random number Ra ″ is output to the authentication unit 154.

  In step S3509, the authentication unit 154 performs authentication based on the consistency of the random number Ra. Specifically, it is determined whether the random number Ra generated in step S3501 matches the random number Ra ″ acquired in step S3508. The fixed key Ka is held only by the legitimate information processing apparatus 111. Therefore, when the information processing apparatus 111 is a legitimate information processing apparatus, the random number Ra and the random number Ra ″ match. In this case, the authentication unit 154 executes authentication success processing of the information processing apparatus 111 in step S3511.

  On the other hand, if the information processing apparatus 111 is not a legitimate information processing apparatus, the random number Ra does not match the random number Ra ″ because it does not have the correct fixed key Ka. In this case, in this case, in step S3510. The authentication unit 154 executes an authentication failure process of the information processing apparatus 111.

  Further, in order to cause the information processing apparatus 111 to authenticate the information processing apparatus 141, the following processing is executed.

In step S <b> 3512, the encryption unit 155 performs conversion processing F _Ra (X) using the random number Ra on the random number Rb ′ according to the control from the authentication unit 154. Further, in step S3513, the encryption unit 155 generates information M4 by encrypting the conversion processing result F _Ra (Rb ′) using the random number Ra as a key. That is, the following equation is calculated.
M4 = eRa (F _Ra (Rb ′)) (48)

  In step S <b> 3514, the transmission unit 156 transmits information M <b> 4 to the information processing apparatus 111. That is, the information M4 is transmitted to the information processing apparatus 111 via the antenna unit 151.

In the information processing apparatus 111, the reception unit 122 receives the information M4 transmitted from the information processing apparatus 141 via the antenna unit 121 in step S3559. In step S3560, the decryption unit 123 obtains the conversion processing result F _Ra (Rb ′) by decrypting the information M4 using the random number Ra ′ as a key, and outputs the result to the authentication unit 124.

In step S3561, the encryption unit 125 performs inverse conversion processing F ⁻¹ _{Ra ′} (X) using the random number Ra ′ on the conversion processing result F _Ra (Rb ′) according to the control from the authentication unit 124, and the result The obtained random number Rb ″ is output to the authentication unit 124.

  In step S3562, the authentication unit 124 performs authentication based on the consistency of the random number Rb. Specifically, it is determined whether or not the random number Rb generated in step S3553 matches the random number Rb ″ acquired in step S3561. Only the legitimate information processing apparatus 141 holds the fixed key Ka. Therefore, when the information processing apparatus 141 is a legitimate information processing apparatus, the random number Rb and the random number Rb ″ match. In this case, the authentication unit 124 executes authentication success processing of the information processing apparatus 141 in step S3364.

  On the other hand, when the information processing apparatus 141 is not a legitimate information processing apparatus, the random number Rb and the random number Rb ″ do not match because they do not have the fixed key Ka. In this case, authentication is performed in step S3563. The unit 124 executes an authentication failure process of the information processing apparatus 141. As described above, the information processing apparatus 141 is also authenticated from the information processing apparatus 111.

  According to the bidirectional authentication processing of the fifth method described above, the information processing apparatus 111 and the information processing apparatus 141 may hold one secret key (fixed key Ka) in advance. Further, each of the information processing device 111 and the information processing device 141 can complete the number of generated random numbers once.

  For the purpose of hacking, even if the same information M1 is supplied to the information processing apparatus 111 a plurality of times and the processing result information M2 for the information M1 is obtained a plurality of times, the information M2 as the processing result is This is encrypted using a random number Rb that changes every time as a key. Therefore, even if a large number of processing results are collected and analyzed by a DFA attack, the key that processed the data cannot be identified. In other words, it can defend against DFA attacks.

  The present invention can also be applied to information processing apparatuses other than IC cards and reader / writers.

  The communication may be communication other than proximity communication. Further, not wireless communication, but wired communication as well as communication in which wireless communication and wired communication are mixed, that is, wireless communication is performed in a certain section and wired communication is performed in another section. . Further, communication from one device to another device may be performed by wired communication, and communication from another device to one device may be performed by wireless communication.

  The series of processes described above can be executed by hardware or can be executed by software. When a series of processing is executed by software, a program constituting the software executes various functions by installing a computer incorporated in dedicated hardware or various programs. For example, it is installed from a program recording medium in a general-purpose personal computer or the like.

  For example, a program recording medium that stores a program that is installed in a computer and can be executed by the computer, such as the storage unit 129 in FIG. 8 or the storage unit 159 in FIG. 9, is a magnetic disk (including a flexible disk). , Removable media that is package media consisting of optical discs (including compact disc-read only memory (CD-ROM), DVD (digital versatile disc)), magneto-optical discs), or semiconductor memory, or programs temporarily It is composed of ROM, hard disk, etc. that are stored permanently or permanently. The program is stored in the program recording medium using a wired or wireless communication medium such as a local area network, the Internet, or digital satellite broadcasting via a communication unit that is an interface such as a router or a modem as necessary. Is called.

  In the present specification, the steps for describing a program are not only processes performed in time series in the order described, but also processes that are executed in parallel or individually even if they are not necessarily processed in time series. Is also included.

  Further, in this specification, the system represents the entire apparatus constituted by a plurality of apparatuses.

  The embodiment of the present invention is not limited to the above-described embodiment, and various modifications can be made without departing from the gist of the present invention.

  DESCRIPTION OF SYMBOLS 100 Information processing system, 111 Information processing apparatus, 121 Antenna part, 122 Reception part, 123 Decoding part, 124 Authentication part, 125 Encryption part, 126 Transmission part, 127 Generation part, 128 Generation part, 129 Storage part, 141 Information processing Device, 151 antenna unit, 152 receiving unit, 153 decrypting unit, 154 authenticating unit, 155 encrypting unit, 156 transmitting unit, 157 generating unit, 158 generating unit, 159 storage unit, 160 interface

Claims (14)

A receiving unit for receiving a first random number from another information processing apparatus;
A random number generator for generating a second random number;
A time-varying key generation unit that generates a time-varying key for encryption by applying the second random number to a first fixed key ;
An encryption unit for encrypting the first random number with the time-varying key;
An information processing apparatus comprising: the first random number encrypted with the time-varying key; and a transmission unit that transmits the second random number to the other information processing apparatus. The random number generator further generates a third random number,
The encryption unit further encrypts the third random number with the time-varying key,
The transmission unit further transmits the encrypted third random number to the other information processing apparatus,
The receiving unit receives the third random number encrypted with the second fixed key from the other information processing apparatus;
A decryption unit for decrypting the encrypted third random number with the second fixed key;
The information processing apparatus according to claim 1 , further comprising: an authentication unit that performs authentication using the decrypted third random number. The random number generator further generates a third random number,
The encryption unit further encrypts the third random number with the time-varying key,
The transmission unit further transmits the encrypted third random number to the other information processing apparatus,
The encryption unit further encrypts the third random number with the second fixed key,
The receiving unit receives the third random number encrypted with the second fixed key from the other information processing apparatus;
The information processing apparatus according to claim 1 , further comprising: an authentication unit that performs authentication with the encrypted third random number. The received first random number is encrypted;
A decrypting unit for decrypting the encrypted first random number received from the other information processing apparatus with a second fixed key;
  The information processing apparatus according to claim 1, further comprising: The information processing apparatus according to claim 4 , wherein the information processing apparatus is an IC card.   By information processing equipment
    Receiving a first random number from another information processing device;
    Generate a second random number,
    Generating a time-varying key for encryption by applying the second random number to the first fixed key;
    Encrypting the first random number with the time-varying key;
    The first random number encrypted with the time-varying key and the second random number are transmitted to the other information processing apparatus.
  An information processing method including steps. Computer
A receiving unit for receiving a first random number from another information processing apparatus;
A random number generator for generating a second random number;
A time-varying key generation unit that generates a time-varying key for encryption by applying the second random number to a first fixed key ;
An encryption unit for encrypting the first random number with the time-varying key;
A transmitting unit that transmits the first random number encrypted with the time-varying key and the second random number to the other information processing apparatus ;
Program to make it work . A random number generator for generating a first random number ;
A transmission unit for transmitting the first random number to another information processing apparatus;
A receiving unit that receives the first random number encrypted with the first time-varying key and the second random number from the other information processing apparatus;
A time-varying key generation unit that generates the second time-varying key that is the same as the first time-varying key by applying the second random number to the first fixed key ;
An authentication information generating unit that generates authentication information for authenticating the other information processing apparatus using the second time-varying key;
An information processing apparatus comprising: an authentication unit that authenticates the other information processing apparatus with the authentication information. And the transmission unit, to claim 8, further transmitting the encrypted first random number with a different second fixed key and the first fixed key used for generating the second time variable key The information processing apparatus described. The receiving unit further receives a third random number encrypted with the first time-varying key from the other information processing apparatus,
A decryption unit for decrypting the received third random number encrypted with the first time-varying key with the second time-varying key;
An encryption unit that encrypts the third random number obtained by decryption with the second fixed key;
The information processing apparatus according to claim 9 , wherein the transmission unit further transmits the third random number encrypted with the second fixed key to the other information processing apparatus. The information processing apparatus according to claim 8 , wherein the information processing apparatus is a reader / writer. By information processing equipment
Generate a first random number,
Transmitting the first random number to another information processing apparatus;
Receiving the first random number and the second random number encrypted with the first time-varying key from the other information processing apparatus;
Generating a second time-varying key that is the same as the first time-varying key by applying the second random number to a first fixed key;
Generating authentication information for authenticating the other information processing apparatus using the second time-varying key;
Authenticate the other information processing apparatus with the authentication information
An information processing method including steps. Computer
A random number generator for generating a first random number;
A transmission unit for transmitting the first random number to another information processing apparatus ;
A receiving unit that receives the first random number encrypted with the first time-varying key and the second random number from the other information processing apparatus ;
An authentication information generating unit that generates a second time-varying key that is the same as the first time-varying key by applying the second random number to a first fixed key ;
An authentication unit for authenticating the other information processing apparatus with the authentication information ;
Program to make it work . The first information processing apparatus
Receiving a first random number from the second information processing apparatus;
Generate a second random number,
Causing the second random number to act on a first fixed key to generate a first time-varying key for encryption ;
Encrypting the first random number with the first time-varying key;
Transmitting the second random number and the first random number is encrypted to said second information processing apparatus,
The second information processing apparatus
Receiving the encrypted first random number and the second random number transmitted from the first information processing apparatus;
Generating a second time-varying key that is the same as the first time-varying key by applying the second random number to a first fixed key ;
Generating authentication information with the second time-varying key;
An information processing system for authenticating the first information processing apparatus with the authentication information.

Images